diff options
| -rw-r--r-- | core/java/com/android/internal/os/RoSystemProperties.java | 2 | ||||
| -rw-r--r-- | core/java/com/android/server/SystemConfig.java | 38 | ||||
| -rw-r--r-- | data/etc/Android.mk | 25 | ||||
| -rw-r--r-- | data/etc/privapp-permissions-platform.xml | 324 | ||||
| -rw-r--r-- | services/core/java/com/android/server/pm/PackageManagerService.java | 23 |
5 files changed, 389 insertions, 23 deletions
diff --git a/core/java/com/android/internal/os/RoSystemProperties.java b/core/java/com/android/internal/os/RoSystemProperties.java index 80c55fb57186..759148817161 100644 --- a/core/java/com/android/internal/os/RoSystemProperties.java +++ b/core/java/com/android/internal/os/RoSystemProperties.java @@ -27,6 +27,8 @@ public class RoSystemProperties { SystemProperties.getInt("ro.debuggable", 0) == 1; public static final int FACTORYTEST = SystemProperties.getInt("ro.factorytest", 0); + public static final boolean CONTROL_PRIVAPP_PERMISSIONS = + SystemProperties.getBoolean("ro.control_privapp_permissions", false); // ------ ro.config.* -------- // public static final boolean CONFIG_LOW_RAM = diff --git a/core/java/com/android/server/SystemConfig.java b/core/java/com/android/server/SystemConfig.java index 429131bfd320..168da5fa691d 100644 --- a/core/java/com/android/server/SystemConfig.java +++ b/core/java/com/android/server/SystemConfig.java @@ -25,6 +25,7 @@ import android.content.pm.PackageManager; import android.os.Environment; import android.os.Process; import android.os.storage.StorageManager; +import android.text.TextUtils; import android.util.ArrayMap; import android.util.ArraySet; import android.util.Slog; @@ -129,6 +130,9 @@ public class SystemConfig { final ArrayMap<String, List<String>> mDisabledUntilUsedPreinstalledCarrierAssociatedApps = new ArrayMap<>(); + + final ArrayMap<String, ArraySet<String>> mPrivAppPermissions = new ArrayMap<>(); + public static SystemConfig getInstance() { synchronized (SystemConfig.class) { if (sInstance == null) { @@ -194,6 +198,10 @@ public class SystemConfig { return mDisabledUntilUsedPreinstalledCarrierAssociatedApps; } + public ArraySet<String> getPrivAppPermissions(String packageName) { + return mPrivAppPermissions.get(packageName); + } + SystemConfig() { // Read configuration from system readPermissions(Environment.buildPath( @@ -507,6 +515,8 @@ public class SystemConfig { associatedPkgs.add(pkgname); } XmlUtils.skipCurrentTag(parser); + } else if ("privapp-permissions".equals(name) && allowAppConfigs) { + readPrivAppPermissions(parser); } else { XmlUtils.skipCurrentTag(parser); continue; @@ -584,4 +594,32 @@ public class SystemConfig { XmlUtils.skipCurrentTag(parser); } } + + void readPrivAppPermissions(XmlPullParser parser) throws IOException, XmlPullParserException { + String packageName = parser.getAttributeValue(null, "package"); + if (TextUtils.isEmpty(packageName)) { + Slog.w(TAG, "package is required for <privapp-permissions> in " + + parser.getPositionDescription()); + return; + } + + ArraySet<String> permissions = mPrivAppPermissions.get(packageName); + if (permissions == null) { + permissions = new ArraySet<>(); + } + int depth = parser.getDepth(); + while (XmlUtils.nextElementWithin(parser, depth)) { + String name = parser.getName(); + if ("permission".equals(name)) { + String permName = parser.getAttributeValue(null, "name"); + if (TextUtils.isEmpty(permName)) { + Slog.w(TAG, "name is required for <permission> in " + + parser.getPositionDescription()); + continue; + } + permissions.add(permName); + } + } + mPrivAppPermissions.put(packageName, permissions); + } } diff --git a/data/etc/Android.mk b/data/etc/Android.mk index 134ac0cacec9..6718259e4c2f 100644 --- a/data/etc/Android.mk +++ b/data/etc/Android.mk @@ -18,30 +18,17 @@ LOCAL_PATH := $(my-dir) ######################## include $(CLEAR_VARS) - LOCAL_MODULE := platform.xml - LOCAL_MODULE_CLASS := ETC - -# This will install the file in /system/etc/permissions -# LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions - LOCAL_SRC_FILES := $(LOCAL_MODULE) - include $(BUILD_PREBUILT) ######################## -#include $(CLEAR_VARS) - -#LOCAL_MODULE := required_hardware.xml - -#LOCAL_MODULE_CLASS := ETC - -# This will install the file in /system/etc/permissions -# -#LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions - -#LOCAL_SRC_FILES := $(LOCAL_MODULE) +include $(CLEAR_VARS) +LOCAL_MODULE := privapp-permissions-platform.xml +LOCAL_MODULE_CLASS := ETC +LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions +LOCAL_SRC_FILES := $(LOCAL_MODULE) +include $(BUILD_PREBUILT) -#include $(BUILD_PREBUILT) diff --git a/data/etc/privapp-permissions-platform.xml b/data/etc/privapp-permissions-platform.xml new file mode 100644 index 000000000000..3fc791439901 --- /dev/null +++ b/data/etc/privapp-permissions-platform.xml @@ -0,0 +1,324 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + ~ Copyright (C) 2016 The Android Open Source Project + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License + --> + +<!-- +This XML file declares which signature|privileged permissions should be granted to privileged +applications that come with the platform +--> +<permissions> + <privapp-permissions package="com.android.backupconfirm"> + <permission name="android.permission.BACKUP"/> + <permission name="android.permission.CRYPT_KEEPER"/> + </privapp-permissions> + + <privapp-permissions package="com.android.cellbroadcastreceiver"> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + <permission name="android.permission.MANAGE_USERS"/> + <permission name="android.permission.MODIFY_PHONE_STATE"/> + <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/> + <permission name="android.permission.RECEIVE_EMERGENCY_BROADCAST"/> + </privapp-permissions> + + <privapp-permissions package="com.android.contacts"> + <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> + <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/> + </privapp-permissions> + + <privapp-permissions package="com.android.defcontainer"> + <permission name="android.permission.ACCESS_CACHE_FILESYSTEM"/> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + <permission name="android.permission.WRITE_MEDIA_STORAGE"/> + </privapp-permissions> + + <privapp-permissions package="com.android.dialer"> + <permission name="android.permission.ALLOW_ANY_CODEC_FOR_PLAYBACK"/> + <permission name="android.permission.CONTROL_INCALL_EXPERIENCE"/> + <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> + <permission name="android.permission.MODIFY_PHONE_STATE"/> + <permission name="android.permission.STOP_APP_SWITCHES"/> + <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/> + <permission name="com.android.voicemail.permission.WRITE_VOICEMAIL"/> + </privapp-permissions> + + <privapp-permissions package="com.android.emergency"> + <permission name="android.permission.MANAGE_USERS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.externalstorage"> + <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> + <permission name="android.permission.WRITE_MEDIA_STORAGE"/> + </privapp-permissions> + + <privapp-permissions package="com.android.launcher"> + <permission name="android.permission.BIND_APPWIDGET"/> + <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> + </privapp-permissions> + + <privapp-permissions package="com.android.location.fused"> + <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/> + </privapp-permissions> + + <privapp-permissions package="com.android.managedprovisioning"> + <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> + <permission name="android.permission.CHANGE_CONFIGURATION"/> + <permission name="android.permission.CONNECTIVITY_INTERNAL"/> + <permission name="android.permission.CRYPT_KEEPER"/> + <permission name="android.permission.DELETE_PACKAGES"/> + <permission name="android.permission.INSTALL_PACKAGES"/> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + <permission name="android.permission.MANAGE_DEVICE_ADMINS"/> + <permission name="android.permission.MANAGE_USERS"/> + <permission name="android.permission.MASTER_CLEAR"/> + <permission name="android.permission.PERFORM_CDMA_PROVISIONING"/> + <permission name="android.permission.SET_TIME"/> + <permission name="android.permission.SET_TIME_ZONE"/> + <permission name="android.permission.SHUTDOWN"/> + <permission name="android.permission.WRITE_SECURE_SETTINGS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.mms.service"> + <permission name="android.permission.BIND_CARRIER_MESSAGING_SERVICE"/> + <permission name="android.permission.BIND_CARRIER_SERVICES"/> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.mtp"> + <permission name="android.permission.MANAGE_USB"/> + </privapp-permissions> + + <privapp-permissions package="com.android.musicfx"> + <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> + </privapp-permissions> + + <privapp-permissions package="com.android.packageinstaller"> + <permission name="android.permission.CLEAR_APP_CACHE"/> + <permission name="android.permission.DELETE_PACKAGES"/> + <permission name="android.permission.INSTALL_PACKAGES"/> + <permission name="android.permission.MANAGE_USERS"/> + <permission name="android.permission.UPDATE_APP_OPS_STATS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.phone"> + <permission name="android.permission.ACCESS_IMS_CALL_SERVICE"/> + <permission name="android.permission.BIND_CARRIER_MESSAGING_SERVICE"/> + <permission name="android.permission.BIND_CARRIER_SERVICES"/> + <permission name="android.permission.CALL_PRIVILEGED"/> + <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> + <permission name="android.permission.CHANGE_CONFIGURATION"/> + <permission name="android.permission.CHANGE_DEVICE_IDLE_TEMP_WHITELIST"/> + <permission name="android.permission.CONNECTIVITY_INTERNAL"/> + <permission name="android.permission.DUMP"/> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + <permission name="android.permission.LOCAL_MAC_ADDRESS"/> + <permission name="android.permission.MANAGE_USERS"/> + <permission name="android.permission.MODIFY_PHONE_STATE"/> + <permission name="android.permission.PERFORM_CDMA_PROVISIONING"/> + <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/> + <permission name="android.permission.READ_SEARCH_INDEXABLES"/> + <permission name="android.permission.REBOOT"/> + <permission name="android.permission.REGISTER_CALL_PROVIDER"/> + <permission name="android.permission.REGISTER_SIM_SUBSCRIPTION"/> + <permission name="android.permission.SEND_RESPOND_VIA_MESSAGE"/> + <permission name="android.permission.SET_TIME"/> + <permission name="android.permission.SET_TIME_ZONE"/> + <permission name="android.permission.SHUTDOWN"/> + <permission name="android.permission.STATUS_BAR"/> + <permission name="android.permission.STOP_APP_SWITCHES"/> + <permission name="android.permission.UPDATE_APP_OPS_STATS"/> + <permission name="android.permission.UPDATE_DEVICE_STATS"/> + <permission name="android.permission.UPDATE_LOCK"/> + <permission name="android.permission.WRITE_APN_SETTINGS"/> + <permission name="android.permission.WRITE_SECURE_SETTINGS"/> + <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/> + <permission name="com.android.voicemail.permission.WRITE_VOICEMAIL"/> + </privapp-permissions> + + <privapp-permissions package="com.android.providers.calendar"> + <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> + <permission name="android.permission.UPDATE_APP_OPS_STATS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.providers.contacts"> + <permission name="android.permission.BIND_DIRECTORY_SEARCH"/> + <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + <permission name="android.permission.MANAGE_USERS"/> + <permission name="android.permission.UPDATE_APP_OPS_STATS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.providers.downloads"> + <permission name="android.permission.ACCESS_CACHE_FILESYSTEM"/> + <permission name="android.permission.CLEAR_APP_CACHE"/> + <permission name="android.permission.CONNECTIVITY_INTERNAL"/> + <permission name="android.permission.MODIFY_NETWORK_ACCOUNTING"/> + <permission name="android.permission.UPDATE_APP_OPS_STATS"/> + <permission name="android.permission.UPDATE_DEVICE_STATS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.providers.media"> + <permission name="android.permission.ACCESS_MTP"/> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + <permission name="android.permission.MANAGE_USERS"/> + <permission name="android.permission.WRITE_MEDIA_STORAGE"/> + </privapp-permissions> + + <privapp-permissions package="com.android.providers.telephony"> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + <permission name="android.permission.MODIFY_PHONE_STATE"/> + </privapp-permissions> + + <privapp-permissions package="com.android.provision"> + <permission name="android.permission.WRITE_SECURE_SETTINGS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.server.telecom"> + <permission name="android.permission.BIND_CONNECTION_SERVICE"/> + <permission name="android.permission.BIND_INCALL_SERVICE"/> + <permission name="android.permission.CALL_PRIVILEGED"/> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + <permission name="android.permission.MANAGE_USERS"/> + <permission name="android.permission.MODIFY_PHONE_STATE"/> + <permission name="android.permission.STOP_APP_SWITCHES"/> + </privapp-permissions> + + <privapp-permissions package="com.android.settings"> + <permission name="android.permission.ACCESS_CHECKIN_PROPERTIES"/> + <permission name="android.permission.ACCESS_NOTIFICATIONS"/> + <permission name="android.permission.BACKUP"/> + <permission name="android.permission.BATTERY_STATS"/> + <permission name="android.permission.BLUETOOTH_PRIVILEGED"/> + <permission name="android.permission.CHANGE_CONFIGURATION"/> + <permission name="android.permission.DELETE_PACKAGES"/> + <permission name="android.permission.FORCE_STOP_PACKAGES"/> + <permission name="android.permission.MANAGE_DEVICE_ADMINS"/> + <permission name="android.permission.MANAGE_FINGERPRINT"/> + <permission name="android.permission.MANAGE_USB"/> + <permission name="android.permission.MANAGE_USERS"/> + <permission name="android.permission.MASTER_CLEAR"/> + <permission name="android.permission.MODIFY_PHONE_STATE"/> + <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> + <permission name="android.permission.MOVE_PACKAGE"/> + <permission name="android.permission.OVERRIDE_WIFI_CONFIG"/> + <permission name="android.permission.PACKAGE_USAGE_STATS"/> + <permission name="android.permission.READ_SEARCH_INDEXABLES"/> + <permission name="android.permission.REBOOT"/> + <permission name="android.permission.SET_TIME"/> + <permission name="android.permission.STATUS_BAR"/> + <permission name="android.permission.TETHER_PRIVILEGED"/> + <permission name="android.permission.USER_ACTIVITY"/> + <permission name="android.permission.WRITE_APN_SETTINGS"/> + <permission name="android.permission.WRITE_MEDIA_STORAGE"/> + <permission name="android.permission.WRITE_SECURE_SETTINGS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.sharedstoragebackup"> + <permission name="android.permission.WRITE_MEDIA_STORAGE"/> + </privapp-permissions> + + <privapp-permissions package="com.android.shell"> + <permission name="android.permission.BACKUP"/> + <permission name="android.permission.BATTERY_STATS"/> + <permission name="android.permission.BIND_APPWIDGET"/> + <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> + <permission name="android.permission.CHANGE_CONFIGURATION"/> + <permission name="android.permission.CONNECTIVITY_INTERNAL"/> + <permission name="android.permission.DELETE_CACHE_FILES"/> + <permission name="android.permission.DELETE_PACKAGES"/> + <permission name="android.permission.DUMP"/> + <permission name="android.permission.FORCE_STOP_PACKAGES"/> + <permission name="android.permission.GET_APP_OPS_STATS"/> + <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/> + <permission name="android.permission.INSTALL_PACKAGES"/> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + <permission name="android.permission.MANAGE_ACTIVITY_STACKS"/> + <permission name="android.permission.MANAGE_DEVICE_ADMINS"/> + <permission name="android.permission.MODIFY_APPWIDGET_BIND_PERMISSIONS"/> + <permission name="android.permission.MODIFY_PHONE_STATE"/> + <permission name="android.permission.MOUNT_FORMAT_FILESYSTEMS"/> + <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> + <permission name="android.permission.MOVE_PACKAGE"/> + <permission name="android.permission.READ_FRAME_BUFFER"/> + <permission name="android.permission.REAL_GET_TASKS"/> + <permission name="android.permission.REGISTER_CALL_PROVIDER"/> + <permission name="android.permission.REGISTER_CONNECTION_MANAGER"/> + <permission name="android.permission.REGISTER_SIM_SUBSCRIPTION"/> + <permission name="android.permission.RETRIEVE_WINDOW_CONTENT"/> + <permission name="android.permission.SET_ALWAYS_FINISH"/> + <permission name="android.permission.SET_ANIMATION_SCALE"/> + <permission name="android.permission.SET_DEBUG_APP"/> + <permission name="android.permission.SET_PROCESS_LIMIT"/> + <permission name="android.permission.SIGNAL_PERSISTENT_PROCESSES"/> + <permission name="android.permission.STOP_APP_SWITCHES"/> + <permission name="android.permission.SUBSTITUTE_NOTIFICATION_APP_NAME"/> + <permission name="android.permission.UPDATE_APP_OPS_STATS"/> + <permission name="android.permission.WRITE_MEDIA_STORAGE"/> + <permission name="android.permission.WRITE_SECURE_SETTINGS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.statementservice"> + <permission name="android.permission.INTENT_FILTER_VERIFICATION_AGENT"/> + </privapp-permissions> + + <privapp-permissions package="com.android.storagemanager"> + <permission name="android.permission.DELETE_PACKAGES"/> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + <permission name="android.permission.MANAGE_USERS"/> + <permission name="android.permission.PACKAGE_USAGE_STATS"/> + <permission name="android.permission.WRITE_SECURE_SETTINGS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.systemui"> + <permission name="android.permission.BATTERY_STATS"/> + <permission name="android.permission.BIND_APPWIDGET"/> + <permission name="android.permission.BLUETOOTH_PRIVILEGED"/> + <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> + <permission name="android.permission.CONNECTIVITY_INTERNAL"/> + <permission name="android.permission.CONTROL_VPN"/> + <permission name="android.permission.DUMP"/> + <permission name="android.permission.GET_APP_OPS_STATS"/> + <permission name="android.permission.INTERACT_ACROSS_USERS"/> + <permission name="android.permission.MANAGE_ACTIVITY_STACKS"/> + <permission name="android.permission.MANAGE_USB"/> + <permission name="android.permission.MANAGE_USERS"/> + <permission name="android.permission.MASTER_CLEAR"/> + <permission name="android.permission.MEDIA_CONTENT_CONTROL"/> + <permission name="android.permission.MODIFY_PHONE_STATE"/> + <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> + <permission name="android.permission.OVERRIDE_WIFI_CONFIG"/> + <permission name="android.permission.READ_DREAM_STATE"/> + <permission name="android.permission.READ_FRAME_BUFFER"/> + <permission name="android.permission.READ_NETWORK_USAGE_HISTORY"/> + <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/> + <permission name="android.permission.REAL_GET_TASKS"/> + <permission name="android.permission.RECEIVE_MEDIA_RESOURCE_USAGE"/> + <permission name="android.permission.START_TASKS_FROM_RECENTS"/> + <permission name="android.permission.STATUS_BAR"/> + <permission name="android.permission.STOP_APP_SWITCHES"/> + <permission name="android.permission.SUBSTITUTE_NOTIFICATION_APP_NAME"/> + <permission name="android.permission.TETHER_PRIVILEGED"/> + <permission name="android.permission.UPDATE_APP_OPS_STATS"/> + <permission name="android.permission.WRITE_DREAM_STATE"/> + <permission name="android.permission.WRITE_MEDIA_STORAGE"/> + <permission name="android.permission.WRITE_SECURE_SETTINGS"/> + </privapp-permissions> + + <privapp-permissions package="com.android.vpndialogs"> + <permission name="android.permission.CONNECTIVITY_INTERNAL"/> + <permission name="android.permission.CONTROL_VPN"/> + </privapp-permissions> + +</permissions>
\ No newline at end of file diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index a9d10dd542de..d9e7019bf9de 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -233,6 +233,7 @@ import com.android.internal.content.PackageHelper; import com.android.internal.logging.MetricsLogger; import com.android.internal.os.IParcelFileDescriptorFactory; import com.android.internal.os.InstallerConnection.InstallerException; +import com.android.internal.os.RoSystemProperties; import com.android.internal.os.SomeArgs; import com.android.internal.os.Zygote; import com.android.internal.telephony.CarrierAppUtils; @@ -10394,14 +10395,28 @@ public class PackageManagerService extends IPackageManager.Stub { private boolean grantSignaturePermission(String perm, PackageParser.Package pkg, BasePermission bp, PermissionsState origPermissions) { - boolean allowed; - allowed = (compareSignatures( + boolean privilegedPermission = (bp.protectionLevel + & PermissionInfo.PROTECTION_FLAG_PRIVILEGED) != 0; + boolean controlPrivappPermissions = RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS; + boolean platformPermission = PLATFORM_PACKAGE_NAME.equals(bp.sourcePackage); + boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName); + if (controlPrivappPermissions && privilegedPermission && pkg.isPrivilegedApp() + && !platformPackage && platformPermission) { + ArraySet<String> wlPermissions = SystemConfig.getInstance() + .getPrivAppPermissions(pkg.packageName); + boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm); + if (!whitelisted) { + Slog.e(TAG, "Not granting privileged permission " + perm + " for package " + + pkg.packageName + " - not in privapp-permissions whitelist"); + return false; + } + } + boolean allowed = (compareSignatures( bp.packageSetting.signatures.mSignatures, pkg.mSignatures) == PackageManager.SIGNATURE_MATCH) || (compareSignatures(mPlatformPackage.mSignatures, pkg.mSignatures) == PackageManager.SIGNATURE_MATCH); - if (!allowed && (bp.protectionLevel - & PermissionInfo.PROTECTION_FLAG_PRIVILEGED) != 0) { + if (!allowed && privilegedPermission) { if (isSystemApp(pkg)) { // For updated system applications, a system permission // is granted only if it had been defined by the original application. |